Release Note24.05.2022

Relution Server Release 5.11.2


Relution App Family

The migration for Relution clients for iOS already in use, announced in the last release 5.10, will be carried out with the current release 5.11.2. A guide in the Relution portal supports you during the migration:


Devices with existing Relution clients will receive the new Relution Agent. The old Relution Client is not automatically uninstalled and must be removed from the device via a “Remove app” action after successful testing.

The new Relution Teacher app is not automatically installed. If the app is needed, it must be added to teacher devices via app compliance.

Note: Please be aware of the announced mandatory measures for the migration to the respective new apps. You can find instructions for this in our Insight Relution app family.

All new organizations will receive the new Relution iOS apps by default starting with version 5.11.2.

The migration of the Android Classic app will follow with one of the next versions.

JSON Web Token (JWT)

Previously, a server-side session was created with each successful login. With version 5.11.2 these are replaced by JSON Web Token (JWT ). From now on, a token is generated at login, which the client sends along with the request and the validity is checked by the server. This allows the server to be restarted at any time and, in a cluster operation, to forward the requests Round Robin to the nodes.

In addition, the “Log in as …” function has been extended for the system administrator. With this function, an administrator can assume the identity of another user. With 5.11.2, the identity can also be terminated again.

Hardware recommendations

Please note our new hardware recommendations to run a stable Relution system. More about this in our Installation guide.

Important information for Secure Mail Gateway users

Microsoft is making some changes to improve the security of Microsoft 365. In 2019, it was already announced that basic authentication for older Exchange Online will be abolished.

The Relution Secure Mail Gateway uses the Exchange Webservices Protocol (EWS) and checks user authentication via Basic Authentication. Microsoft will disable Basic Authentication for the EWS protocol on October 01, 2022. Due to this change, the Relution SMG will no longer be able to check compliance.

Note: Please switch your configuration to a direct connection to Exchange Online before the appointment. You can find more information from Microsoft here.


DEP public enrollment

In the Store Organization, a DEP account can be marked as public to automatically enroll DEP devices in an assigned organization. In doing so, enrollment in the corresponding organization can optionally require user authentication. Enrollment is only possible with an associated user of the respective organization. Alternatively, automatic enrollment in the DEP profile can be limited to a specific user the organization.

Optimization of PKG files for macOS

Extension of PKG for macOS so that the metadata for version name and code from the PKG distribution file is used if this information is available.


Optimized Azure AD configuration in Relution

Windows devices can be automatically enrolled in Relution via Windows Autopilot. To do this, the Azure AD link must be set up in the Relution settings. As of now, there is an option in the Azure AD guide to conveniently check the configuration directly against Azure AD. The result of a non/successful login to the Azure AD server is displayed as feedback. If necessary, adjustments to the settings can be made directly.


Linked Azure AD users, groups or Autopilot devices are automatically synchronized. The sync interval can be defined in the application.yml. By default, the sync value is set to 23 hours. The result of the last Azure AD sync for users, groups and auto-enrollments is summarized. If an error occurred during a synchronization, these can be viewed in detail on the overview page in the Azure AD guide. The existing configuration can be rechecked, edited or deleted.


In addition, further toggles are available on the overview page for activating the synchronization of devices and activating enrollments via Windows Autopilot in general.


Information about the last logged in Azure user

For Windows devices that have been auto enrolled via Autopilot, the first name, last name, and email address of the current user are stored in the corresponding device details should the device send an Azure token with this information. If there is no token or the information is empty, the existing information for that device is retained in the details.

Public Windows apps in the Relution app catalog

To ensure that only Windows apps from the Windows App Store are imported that can also be installed on Windows desktop devices, a new Windows API has been integrated.

Usability / Functional Optimizations
  • Adaptation of CSV export and import for devices so that the internal field names are used.
  • Adjustment of CSV export and import for users and groups, so that the internal field names are used.
  • Using the new Microsoft Store endpoints to retrieve metadata from public Windows applications.
  • Optimization of LDAP import for teachers, students and classes to ensure that all data is imported.
  • When synchronizing with Azure AD, the specific "userPrincipalName" is used as the email address in the user email field in Relution.
  • The WiFi configuration for tvOS and macOS displays the SSID in the configuration overview of a policy.
  • The new version of a public policy in the store organization is automatically applied to all devices in organization associated with that policy.
  • The logo of the Relution organization in the header changes automatically when a multi-tenant user moves to another organization.
  • VPP user names are consistently displayed in all relevant views, if available.
  • Troubleshooting the display of user-defined device fields.
Technical optimizations
  • Fixing manual LDAP synchronization in cluster environments, in conjunction with a secondary node.
  • Automatic renewal of the Apple device SCEP CA and the corresponding issued device certificates before their expiration, by default starting 180 days before expiration.
  • Extension of the API to mark a device as deleted, with the possibility to clean up the device details and device properties as well.
  • Adding Spring4Shell measures as an additional safeguard, even if Relution is not affected by the vulnerability.
  • Optimization of LDAP synchronization and avoidance of wrong actions in case of occurring errors.
  • Bugfix on login screen due to missing permissions after page redirection.
Technical changelog

The changelog for the release can be found here.